Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Previous Document Next Document

Profile documents and Author rights in ACL

Thomas Hampel
 30 July 2012

What if a developer is using user specific profile documents to store some settings in a Domino application.
In this example users have Author access with the ability to create new documents and the ability to write public documents, no roles and no reader or author name fields are used in any document.

Image:Profile documents and Author rights in ACL

I'm wondering why users are not able to modify their own profile document by using the simple formula @Command([EditProfile]; "profile"; @Username)

Of course developers will refer to the Designer Help or
this technote where IBM clearly states:

In order to edit profile documents, including your own profile, using @Command([EditProfile]), you must have at least Editor access or Author access in the ACL plus inclusion in an Author field.


so it sounds like the user name must be listed in an author name field in order to modify an existing userprofile.


Unfortunately in reality it seems to be working slightly different... see this example:

I've created a new form to be used as a profile document, the form contained only a single field

Image:Profile documents and Author rights in ACL
Additionally I've created a small agent with the following code:


Sub
Initialize
       
Dim s As New NotesSession
       
Dim doc As NotesDocument
       
Dim ws As New NotesUIWorkspace
       
       
Set doc = s.currentdatabase.Getprofiledocument("profile", s.Effectiveusername)
       
       
'# allows to modify the field values in the backend
       
Call doc.Replaceitemvalue("Test", "test")
       
Call doc.Save(true, false)
       
       
'# allows to modify field values using the frontend
       
Call ws.Dialogbox("profile", true, true, false, false, false, false, "Test", doc, false, false, false)
       
Call doc.Save(True, False)
       
       
'# does NOT allow to modify the document
       
Call ws.Editprofile("profile", s.Effectiveusername)
End
Sub

It seems like its possible to modify userprofile documents (which dont have an author name field) even when you dont have author access to the document itself.
To clarify: the application was put on a server and access rights were limited to Author.

Image:Profile documents and Author rights in ACL

I'm wondering if there's any good explanation for this behavior.

Update : The problem has been filed as SPR (Software Problem Report) # RGAU8WZE2X and the Customer Report, APAR # LO71028 was created.
Tagged with: Code Development Notes
Comments
No Comments Found
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.